我正在 Drupal 9.3.8 网站上工作,并使用 CSP 模块 来设置 CSP 标头。
很少有核心依赖项或 contrib 模块需要 CSP 标头中的不安全内联,但扫描器建议不要使用不安全内联,因此寻找修复程序以删除不安全内联的使用。
需要不安全内联的依赖项:
- Drupal 核心 ckeditor、modernizer 和 AJAX 调用 - 可以由上面使用的 CSP 模块处理,该模块仅在 ckeditor 呈现时添加不安全内联,但仅在需要现代化器时不添加不安全内联。
- Google Analytics 模块 - 内联添加脚本,而不是将其放入文件中并将其包含在每一页。我们有与 D7 兼容的补丁,但不适用于 D8/9。
- AntiClickJack 片段如下:
<style id="antiClickjack">body{display: none !important;}</style>
解决方案:
- 如上所述安装和设置 CSP 模块来处理 Drupal 核心库/依赖项要求。
- 要仅处理 Modernizer.js 和 unsafe-inline 的渲染,需要对 CSP 模块进行自定义。
- 对于 antiClickJack 和 google 分析脚本和样式标签,无法添加哈希或随机数,因为不安全内联将被忽略,这将破坏
我拥有的 Drupal 核心要求 CSP 标头的处理,如下所示:
内容安全策略:default-src 'self'; connect-src 'self' www.google-analytics.com;框架-src“无”; img-src“自我”数据:https://www.google-analytics.com;对象-src'无'; script-src 'self' www.googletagmanager.com www.google-analytics.com ajax.googleapis.com 'unsafe-inline'; script-src-elem 'self' www.googletagmanager.com www.google-analytics.com ajax.googleapis.com; style-src 'self' '不安全内联';框架祖先“无”;
问题:
- 如何处理 antiClickJack 片段以避免使用不安全内联?
- 我们是否有自定义方法将谷歌分析脚本添加到文件中而不是内联添加?
I am working on Drupal 9.3.8 site and using CSP module to setup the CSP header.
There are few core dependencies or contrib modules which require unsafe-inline in CSP header but scanner recommends not the have unsafe-inline, so looking for the fix to remove the use of unsafe-inline.
Dependencies that require unsafe-inline:
- Drupal core ckeditor, modernizer and AJAX calls - which can be handled by CSP module used above which adds unsafe-inline only when ckeditor renders, but not when only modernizer is required.
- Google Analytics module - which adds the script inline instead of putting it in a file and include it on each page. We have the patch compatible with D7 but not for D8/9.
- AntiClickJack snippet which is as below:
<style id="antiClickjack">body{display: none !important;}</style>
Solutions:
- Installed and setup CSP module as mentioned above to handle Drupal core libs/dependencies requirement.
- To handle only rendering of modernizer.js and unsafe-inline, will need customization to the CSP module.
- For antiClickJack and google analytics script and style tags, cannot add hash or nonce as unsafe-inline will be ignored which will break the handling of Drupal core requirements
CSP header that I have is as below:
Content-Security-Policy: default-src 'self'; connect-src 'self' www.google-analytics.com; frame-src 'none'; img-src 'self' data: https://www.google-analytics.com; object-src 'none'; script-src 'self' www.googletagmanager.com www.google-analytics.com ajax.googleapis.com 'unsafe-inline'; script-src-elem 'self' www.googletagmanager.com www.google-analytics.com ajax.googleapis.com; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
Questions:
- How to handle antiClickJack snippet to avoid the use of unsafe-inline?
- Do we have a customized approach to add the google analytics script to a file instead of adding it inline?
发布评论
评论(1)
将以下哈希添加到您的 style-src: 'sha256-NHgJfLahpnqTyd+gTNfZfM2wjTUfB3Wk1CvqZfZpeHY=' 大多数浏览器会为您建议哈希,或者您可以使用 https://report-uri.com/home/hash。请注意,只要内容不变,哈希就起作用,因此仅将其用于静态代码。
如果没有“不安全内联”,Google Analytics 和 Google 跟踪代码管理器就不容易实现。您也许可以移动到文件,但我不知道这是否会影响事件的顺序。您还需要查看 CSP 随机数以了解它们插入的代码。您需要将它们配置为使用您的随机数,并确保为每个页面加载创建一个新的随机数。我的经验是,为随机数设置自定义值并在每次页面加载时更改它在某些框架中并不是微不足道或不可能的,但值得一试。
Add the following hash to your style-src: 'sha256-NHgJfLahpnqTyd+gTNfZfM2wjTUfB3Wk1CvqZfZpeHY=' Most browsers will suggest a hash for you, or you can use https://report-uri.com/home/hash. Note that the hash works as long as the content is unchanged, so only use it for static code.
Google Analytics and Google Tag Manager are not easy to implement without 'unsafe-inline'. You might be able to move to a file, but I don't know if that has an impact on the order of events. You will also need to look into CSP nonces for the code they insert. You will need to configure them to use your nonce and make sure that a new nonce is created for every page load. My experience is that setting a custom value for the nonce and change it for every page load is not trivial or possible within some frameworks, but worth giving a try.